1245419 - Failed/Untrusted HTTPS connection is reported as successful (200 Connection Established)

Status: UNCONFIRMED

(DevTools :: Netmonitor, defect, P3)

Description

[David [:Ceremony]]

User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:46.0) Gecko/20100101 Firefox/46.0
Build ID: 20160202004008

Steps to reproduce:

Try to connect to a site for which Firefox enforces HSTS (preconfigured/previously visited). This time however, provide an invalid certificate to that site.


Actual results:

Site refuses to load (good).
The network pane of the dev tools report 200 Connection Established and no security warning is issues in the log. (bad)

In my case, the issue occurred when I had to implemented some Google tracking on a company's website and their firewall blocks/hijacks googleadservices.com for tracking protection (oh the irony). googleadservices.com is part of FF's preloaded HSTS list. Upon testing whether what I just implemented worked, I ran into this bug.


Expected results:

Network and log should report such failed connections correctly.

Comment 1

[David [:Ceremony]]

Attachment: showcase

Comment 2

[Loic]

I saw many people reporting this issue on community boards.

Comment 3

[Brian Grinstead [:bgrins]]

Attachment: badssl-netmonitor.png

For https://expired.badssl.com/ and also https://subdomain.preloaded-hsts.badssl.com/ I'm seeing no status show up in the netmonitor - as if the request is still pending.

Comment 4

[Brian Grinstead [:bgrins]]

(In reply to David from comment #0)
> In my case, the issue occurred when I had to implemented some Google
> tracking on a company's website and their firewall blocks/hijacks
> googleadservices.com for tracking protection (oh the irony).
> googleadservices.com is part of FF's preloaded HSTS list. Upon testing
> whether what I just implemented worked, I ran into this bug.

I'm not sure how to reproduce this scenario locally so I haven't been able to confirm the '200' problem you are seeing.  Let me know if you have any ideas how to do that.  But I've seen a different variety of buginess in Comment 3

Comment 5

[YF (Yang)]

WFM on Fx45b3, 46.0a2 and 47.0a1.

Step:
Visit http://hsts.badssl.com/, the works fine, add the "63.245.215.20 hsts.badssl.com" line to hosts file, Ctrl+F5 (also clear DNS cache if needs), the error screen shown, the devtools - network shown the comment 3.

Comment 6

[David [:Ceremony]]

(In reply to Brian Grinstead [:bgrins] from comment #4)
> (In reply to David from comment #0)
> > In my case, the issue occurred when I had to implemented some Google
> > tracking on a company's website and their firewall blocks/hijacks
> > googleadservices.com for tracking protection (oh the irony).
> > googleadservices.com is part of FF's preloaded HSTS list. Upon testing
> > whether what I just implemented worked, I ran into this bug.
> 
> I'm not sure how to reproduce this scenario locally so I haven't been able
> to confirm the '200' problem you are seeing.  Let me know if you have any
> ideas how to do that.  But I've seen a different variety of buginess in
> Comment 3

As I am behind a proxy (http proxy, not SOCKS), it might be this constellation that causes it to report as 200:
Firefox connects to the proxy, as I try visiting a website. However, that site never gets the chance to respond as the proxy hijacks the requests and responds with an invalid certificate. Firefox rejects it, though, as it is already connected to the "site" (=proxy), it lists that connection as 200.
Just a hypothesis, not tested, but that might be the difference between my result and yours.

P.S. at work (with the proxy), https://expired.badssl.com/ and https://subdomain.preloaded-hsts.badssl.com/ result in a 200 response, despite ff rejecting it. At home, I saw the same result as you: grey, as if its still pending...